Home Technical Support Managing IDs, Environments, and Compatibility in DefectDojo

Managing IDs, Environments, and Compatibility in DefectDojo

Last updated on Jan 06, 2026

Managing IDs, Environments, and Compatibility in DefectDojo

DefectDojo is a powerful open‑source platform for aggregating, normalizing, and tracking security findings across many tools and pipelines. Learners often wonder how to locate key identifiers (engagement, project, lead), which scans belong to SAST versus DAST, whether specific tools such as InSpec or TruffleHog integrate smoothly, and how to troubleshoot missing data after an automated upload. This article walks through each of those topics step‑by‑step, provides practical examples, and offers quick‑reference tips for a smooth DevSecOps workflow.

1. Retrieving Core IDs (Engagement, Project, Lead)

Every finding in DefectDojo is tied to three primary objects:

Object Purpose Where to Find It
Project Top‑level container for a product or application Products → Product List → click the product; URL contains product_id=
Engagement Represents a specific test window (e.g., a quarterly SAST run) Engagements → Engagement List → click the engagement; URL contains engagement_id=
Lead The user who owns or is responsible for the engagement Inside the engagement detail page under Lead field (user ID appears in the URL as lead=)

Quick CLI/Script Method

If you prefer automation, the DefectDojo REST API can return these IDs in JSON:

# Example: Get all engagements for a product
curl -s -H "Authorization: Token $DD_API_KEY" \
     "https://dojo.example.com/api/v2/engagements/?product=$PRODUCT_ID" \
| jq '.results[] | {id: .id, name: .name, lead: .lead}'

Replace $DD_API_KEY and $PRODUCT_ID with your token and product ID. The output lists each engagement’s id and the associated lead user ID.

2. Understanding Which Scans Belong to SAST vs. DAST

DefectDojo does not enforce a strict taxonomy, but the exam and real‑world practice follow common industry conventions:

Category Typical Tools (examples) What They Scan
SAST (Static Application Security Testing) bandit, semgrep, trufflehog, secret-scan Source code, configuration files, embedded secrets
DAST (Dynamic Application Security Testing) sslyze, nikto, nmap, OWASP ZAP Running applications, network services, SSL/TLS configurations

Tip: When a practice‑test question mentions “implement SAST,” you can safely assume it expects a static analysis tool (e.g., secret scanning) rather than a network scanner.

3. Compatibility of InSpec Results with DefectDojo

Native Support

DefectDojo includes a built‑in parser for InSpec compliance reports. To use it:

  1. Export the InSpec run as JSON: 
    inspec exec . --reporter json:inspec-report.json
  2. Upload the JSON file via the Import Scan UI or through the API (/api/v2/import-scan/).

Other “Code‑as‑Configuration” (CaC) Tools

If a tool does not have a dedicated parser, you can still ingest its output by:

  • Converting the report to a supported format (e.g., JUnit XML, SARIF, or generic JSON).
  • Using the Generic Findings Importer in DefectDojo, which maps custom fields to the standard schema.

A curated list of supported parsers is maintained at the official documentation site:
DefectDojo Integrations – File Parsers

4. Uploading TruffleHog Scan Results from CI/CD

Common Pitfall

When a CI job reports “upload successful” but only the file name appears in DefectDojo (no findings), the most likely cause is an incorrect output format. DefectDojo expects the JSON representation of TruffleHog results.

Step‑by‑Step Troubleshooting

  1. Generate JSON Locally 
    trufflehog git file://$(pwd) --json > trufflehog-report.json
  2. Validate the JSON – open it in a text editor; you should see an array of objects with path, reason, line, etc.
  3. Manual GUI Test
    • Navigate to Findings → Import Scan.
    • Choose TruffleHog as the parser, upload trufflehog-report.json, and click Import.
    • Verify that individual findings appear.
  4. CI/CD Integration
    • Ensure the pipeline step uses the JSON file, not the default plain‑text output.
    • Example (GitLab CI): 
      trufflehog_scan:
  script:
    - trufflehog git file://$CI_PROJECT_DIR --json > trufflehog.json
    - curl -X POST "$DD_API_URL/api/v2/import-scan/" \
          -H "Authorization: Token $DD_API_KEY" \
          -F "file=@trufflehog.json" \
          -F "scan_type=TruffleHog"
  5. Confirm Permissions – the API token must have Import Scan scope for the target product/engagement.

If the issue persists after these steps, capture the API response (status code and body) and share it with the support team for deeper analysis.

5. Practical Example: End‑to‑End SAST Workflow

1️⃣ Code commit → GitHub Action runs Semgrep (SAST) → generates SARIF report.
2️⃣ Action calls DefectDojo API:
   POST /api/v2/import-scan/
   - file: semgrep-report.sarif
   - scan_type: "Semgrep"
   - engagement: 42
   - lead: 7
3️⃣ DefectDojo creates findings, links them to Engagement #42, and notifies Lead #7.
4️⃣ Lead reviews findings, marks false positives, and closes the engagement.

This flow illustrates how IDs, scan type, and tool compatibility all intersect in a real pipeline.

6. Common Questions & Quick Tips

Question Answer
How do I know which parser to select in the UI? Look at the file extension and the tool name. The UI lists supported parsers alphabetically; hover for a short description.
Can I import multiple scan files at once? Yes. Zip the files together and select “Multiple Files” import; each file will be parsed individually.
What if my tool isn’t listed? Convert the output to SARIF or JUnit XML, both of which have generic parsers.
Do I need a separate engagement for each scan type? Not required, but recommended for reporting clarity (e.g., one engagement for quarterly SAST, another for monthly DAST).
How to automate ID discovery in scripts? Use the REST endpoints /api/v2/products/, /api/v2/engagements/, and /api/v2/users/ with jq or any JSON parser.

Pro Tips

  • Bookmark the parser reference page – it’s updated with every new release.
  • Tag each engagement with a meaningful name (e.g., Q4‑2025‑SAST) to locate IDs quickly.
  • Enable webhook notifications for new findings so leads receive instant alerts.

7. Next Steps

  1. Review the Practice Exam Solutions for concrete examples of SAST/DAST mapping.
  2. Test the InSpec and TruffleHog import processes in a sandbox environment before adding them to production pipelines.
  3. Automate ID retrieval with a small Python script that stores project_id, engagement_id, and lead_id in environment variables for CI jobs.

By mastering ID handling, understanding scan categories, and confirming tool compatibility, you’ll keep your DefectDojo instance clean, actionable, and ready for any DevSecOps certification exam or real‑world deployment. Happy scanning!